Solved

Organization Preparation FAILED The ErrorRecord: Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException: Active Directory operation failed

Posted on 2014-12-22
31
438 Views
Last Modified: 2015-01-14
Hi people,

I'm having some problem with the following error message when executing the Exchange Server 2010 SP3 installation on my Schema Master domain controller under my admin account:

    Organization Preparation FAILED The following error was generated when "$error.Clear();
        initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions" was run: "Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.".

Open in new window


I'm trying to delete the "Microsoft Exchange Security Groups" in AD Users & Computers console with advanced view, but somehow the search returns no result ?

Any help and suggestion would be appreciated muchly.

Thanks.
0
Comment
  • 16
  • 11
  • 4
31 Comments
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40513548
and this is the part of the ExchangeSetup.Log for more details:

[12/22/2014 18:01:09.0096] [1] Executing:
      initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions
[12/22/2014 18:01:09.0299] [2] Active Directory session settings for 'initialize-ExchangeUniversalGroups' are: View Entire Forest: 'True', Configuration Domain Controller: 'PRODDC01.MyDomain.com', Preferred Global Catalog: 'PRODDC01.MyDomain.com', Preferred Domain Controllers: '{ PRODDC01.MyDomain.com }'
[12/22/2014 18:01:09.0299] [2] Beginning processing initialize-ExchangeUniversalGroups -DomainController:'PRODDC01.MyDomain.com' -ActiveDirectorySplitPermissions:$null
[12/22/2014 18:01:09.0315] [2] Used domain controller PRODDC01.MyDomain.com to read object DC=MyDomain,DC=com.
[12/22/2014 18:01:09.0315] [2] Used domain controller PRODDC01.MyDomain.com to read object CN=Configuration,DC=MyDomain,DC=com.
[12/22/2014 18:01:09.0315] [2] Used domain controller PRODDC01.MyDomain.com to read object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MyDomain,DC=com.
[12/22/2014 18:01:10.0940] [2] Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 18:01:10.0940] [2] The object exists.
[12/22/2014 18:01:11.0143] [2] Ending processing initialize-ExchangeUniversalGroups
[12/22/2014 18:01:11.0143] [1] The following 1 error(s) occurred during task execution:
[12/22/2014 18:01:11.0143] [1] 0.  ErrorRecord: Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 18:01:11.0143] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException: Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists. ---> System.DirectoryServices.Protocols.DirectoryOperationException: The object exists.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
   at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateExchangeUSGContainer(String name, ADSystemConfigurationSession session, ADObjectId domain)
   at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
[12/22/2014 18:01:11.0158] [1] The following error was generated when "$error.Clear();
      initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions" was run: "Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.".
[12/22/2014 18:01:11.0158] [1] Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 18:01:11.0158] [1] The object exists.
[12/22/2014 18:01:11.0158] [1] [ERROR-REFERENCE] Id=443949901 Component=
[12/22/2014 18:01:11.0158] [1] Setup is stopping now because of one or more critical errors.
[12/22/2014 18:01:11.0158] [1] Finished executing component tasks.
[12/22/2014 18:01:11.0377] [1] Ending processing Install-ExchangeOrganization
[12/22/2014 18:01:11.0580] [0] The Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
[12/22/2014 18:01:11.0783] [0] End of Setup
[12/22/2014 18:01:11.0783] [0] **********************************************
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40513692
Hi ITSystemsEngineer,

So are you upgrading from a previous version of Exchange 2010? If so, the only schema update you need to do is.

Setup.com /PrepareAD

You don't need to run any of the others. Check out my blog post on upgrading to SP3 here.

https://supertekboy.com/2014/05/01/exchange-2010-installing-service-pack-3/

I would also recommend NEVER moving or deleting the Exchange Security Groups.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40513702
Hi Gareth,

I'm trying to update SP2 to SP3 and yes, I only try to execute the "Setup.com /PrepareAD" command in the AD/DC Schema master role but it is failed.

The AD security group is not exist in the ADUC console ?
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 400 total points
ID: 40513707
Interesting. That OU should definitely exist. It should be right under the domain root. Is this a single-domain forest? If you have multiple domains in the forest make sure you run this command from the root domain.

Any chance Exchange was set up with split-AD permissions?

Does your account also have Enterprise Admin rights?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40513717
Well it doesn't exist in the root domain. but somehow setup.com complains that it exist in AD eventhough I can't see it anywhere.

Yes this is just a single domain forest. I don't have multiple.

split-AD permissions? what is that ? I'm new to Exchange Server 2010

My account is already granted or member of the Enterprise, Domain and Schema admins.
0
 
LVL 41

Assisted Solution

by:Amit
Amit earned 100 total points
ID: 40513746
Follow this:

1) Upgrade the schema for Exchange 2010 SP3. If you have Enterprise and Schema Admin rights, setup will do it automatically, however if not, then AD team is required to perform this task.

 Purpose of this Schema Update:
 ===================

 In Order to have the Exchange 2010 SP3 deployed across the environment, it is a prerequisite to have the Active Directory Schema to be extended for supporting Exchange 2010 SP3. During this upgrade, the Active Directory Schema will be extended to support Exchange 2010 SP3.

 Steps to be performed for this upgrade:
 ================================

 Reference Article –
http://technet.microsoft.com/en-in/library/bb629560(v=exchg.141).aspx

 Prerequisites: AD account need to be member of following groups
 Member of: Domain Admin, Enterprise Admin, Schema Admin

 Install Active Directory Management Tools (Run this Command, if Required)
 ServerManagerCmd -i RSAT-ADDS

 Software Location Exchange 2010 SP3
http://www.microsoft.com/en-us/download/details.aspx?id=36768

 Download it and extracting it run below command for preparing the schema.

  setup /PrepareLegacyExchangePermissions (Optional):
  Check C:\ExchangeSetupLogs\ExchangeSetup.log for successful completion
  Setup /PrepareSchema
  Check C:\ExchangeSetupLogs\ExchangeSetup.log for successful completion
  Setup /PrepareAD /OrganizationName:"Your Org Name"
  Check C:\ExchangeSetupLogs\ExchangeSetup.log for successful completion

 How to verify schema version?
http://technet.microsoft.com/en-in/library/bb125224%28v=exchg.141%29.aspx

2) Steps for Upgrading Exchange 2010 to SP3

 Software Location:
 1) Exchange 2010 SP3: http://www.microsoft.com/en-in/download/details.aspx?id=36768

 Note: Any Interim Updates for Exchange Server 2010 must be uninstalled prior to installing this update.

 As I have all roles in one server in a 2 node DAG. Kindly perform the below steps.

 Phase 1: Upgrading Database Availability Groups to Exchange 2010 SP3 (Start with Passive)

 Note: Make sure to take full Exchange backup, including system state or any custom setting related to CAS role. Do save the OWA folder under bin path too. During SP3 installation, Exchange setup removes all SP2 related folders; in case you have any proxying it might fail, so make sure to upgrade all servers, however one by one.

 1) Open Exchange Management Shell, browse to script folder and run below command
       
 .\StartDagServerMaintenance.ps1 -serverName servername

 Note: This script move all Exchange related component including database to another server.
             
 2) Disable the Forefront by using below command (It might ask you to stop few Exchange services)

 fscutility /disable

 3) Stop the OS Antivirus services and Monitoring Agent for Microsoft Exchange Server

 4) Verify Backups are completed.

 5) Run the SP3 setup files using GUI or goto run setup /m:upgrade. If you are getting IIS component error goto run setup /mode:upgrade /installwindowscomponents

 Note: If you are getting this error "A Restart from a Previous Installation is Pending"

 Open regedit and delete the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations key and Rerun Setup.

 Ref: http://technet.microsoft.com/en-us/library/cc164360(v=exchg.80).aspx

 6) Reboot the server

 7) After reboot verify below logs for any error:
       
 Event Logs
 
 Setup Logs (C:\ExchangeSetupLogs)

 Services - All Exchange related services are running.
       
 Check IIS Settings are not changed.
       
 Check Authentication settings from EMC for OWA/OMA/ESW. If you find any change revert back to old.
       
 8) Enable Forefront Protection for Exchange. Command fscutility /enable (It might ask you to stop few Exchange services)

 9) Start OS Antivirus and Exchange Monitoring Agent Services
       
 10) .\StopDagServerMaintenance.ps1 -serverName servername

 11) Now use same steps on another server in DAG.

 -------------------------------------------------------------------------------------------------

Phase 2: Upgrade Management Tools

 If you have installed management tools in any other machine make sure to upgrade those also.
 -------------------------------------------------------------------------------------------------
Finally: - how to verify the upgrade.

 Goto Powershell and type below command.

 GCM exsetup |%{$_.Fileversioninfo}
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40513760
Thanks fo the reply Amit.

Since I'm running the setup.com from the DC using RDP, so do I have to run "ServerManagerCmd -i RSAT-ADDS" ?

My problem is in the missing Exchange AD Security group which stops me in continuing the SP3 upgrade.
0
 
LVL 41

Expert Comment

by:Amit
ID: 40513804
If you are running from DC, then you don't need it. Did you try to ran cmd as administrator and tried.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40513809
Yes I have already tried with the Run as Administrator.
not sure as to why this missing security group stopping me from installing SP3 :-/
0
 
LVL 41

Expert Comment

by:Amit
ID: 40513814
That is an important group, you run prepare domain first using sp2 and then try again.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40513820
ok, so in Exchange Server 2010 environment (all SP version), does that group MUST exist in the Active Directory Users & Computers console under the domain.com ?

My understanding is that it was only needed for Exchange Server 2007 but not 2010.

Why do I have to run it using the older setup files on my working production servers ?
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 400 total points
ID: 40513961
Yes. Those groups are required in 2010 as well. They are critical to Exchange RBAC model.

I wonder if someone moved that OU or those groups to somewhere else in Active Directory.

One of these groups is Organization Management. That group is basically rights over the entire Exchange environment.

If you go to the Properties of your own user account and check the Member Of tab. Do you see Organization Management listed?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40514034
Gareth,

I cannot see it under my Member Of tab. When I run the Exchange BPA, the wizard result reports that the group is empty.

However, I can still add myself into the group using the Exchange Management console from Outlook Web App.

Upon checking the membeship from ADUC console in the member of tab, I got this error pop up when clicking on the Organization Management group.

---------------------------
Active Directory Domain Services
---------------------------
There is no such object on the server.
---------------------------
OK  
---------------------------

but the entry still exist on the Member Of tab.

Re-running the Setup.com /PrepareAD in the Schema Master role elevated command prompt still gives me the same error message.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40514070
I'm not sure hot to check if my Exchange Server was setup as split permission or RBAC by my predecessor.
Is there any way to check it ?

DO I have to execute the service pack as the following command instead ?
Setup.com /PrepareAD /ActiveDirectorySplitPermissions:True

Open in new window

0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40514246
I am assuming a search of AD doesn't turn up the Organization Management group either?

Check this article. Specifically the last section titled "Switch from Active Directory split permissions to shared permissions"
http://technet.microsoft.com/en-us/library/dd638146(v=exchg.150).aspx

To disable split-permissions you would actually toggle it to False.
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40514253
search of AD doesn't turn up the Organization Management group either?

yes that is the case, I cannot find all of the following security group through the ADUC:

"Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"

but when I execute the powershell command below I can see them listed and associated with my user account and some groups.

[PS] C:\Windows\system32>get-rolegroupmember "organization management" | ft -AutoSize

Name                                 RecipientType
----                                 -------------
Exchange Organization Administrators Group
Administrator                        UserMailbox
Alex Santana                         UserMailbox
Mail Security Service Account        UserMailbox
John Henry                               UserMailbox


[PS] C:\Windows\system32>get-rolegroupmember "recipient management" | ft -AutoSize

Name                              RecipientType
----                              -------------
Exchange Recipient Administrators Group
IT-Helpdesk-HeadOffice            Group


[PS] C:\Windows\system32>

Gareth,
My goal here is to allow SP3 installation to be applied in all Exchange 2010 servers, I don't want to mess around with the current security scheme because i don't know how to set it up and why it was setup before.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40514263
I wonder if there is anything wrong with that DC perhaps. I noticed setup was hitting PRODDC1.

Maybe we could force setup to use another DC?

Can't remember if you can couple /PrepareAD with /DomainController switches.
0
 
LVL 41

Expert Comment

by:Amit
ID: 40514265
Better call MS.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40514267
One other random thought. Not sure what level your AD forest is at.

But those objects aren't in the AD Lost and Found / Recycle Bin are they?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40514283
Gareth, both Domain and Forest functional level is at Windows Server 2003

Somehow I cannot find the result after following this steps in http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx

here's the view from the Lost & Found:Lost
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40514286
Yea I agree with Amit. I think this is a call to Microsoft.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40514318
ok, I'm inclined towards doing the steps described here: http://www.itguydiaries.net/2012/07/omg-exchange-security-groups-were.html

I know that the error message is different but somehow I cannot find all of the Exchange builtin Security group that were supposed to be there.

so can I actually perform the steps described in the above web page and then continuing with the Setup.com /prepareAD without causing any email downtime or problem later on ?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40514322
Hmmm. I've seen these steps before. Never tried them though.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40514328
yeah, that's the thing.
Because the error message in the ExchangeSetup.LOG is totally different from what you can see in the blog above.

But interestingly is that the author of the blog describes how to repopulate the builtin AD security group to continue with the SP installation.

My assumption is that during the Schema update /Extension in the Domain Controller, Exchange will still be working during business hours right ? please correct me if I'm wrong.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40514372
There is no downtime while you are running the schema updates.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40514726
ok so in my case here I need some clarification. Does the normal working condition of Exchange server 2010 requires the following example of the built in security group to exist in AD ?
Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"

Regardless what the security mechanism that is used.

I got confused myself as to why I must recreate the simple AD security group through Setup.com package.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 400 total points
ID: 40519603
Hey ITSystemEngineer,

This is what you should normally see.

ExchangeGroups.jpg
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40519618
Thanks Gareth,

So in order to restore those missing groups is there any outage required to run those setup.com /prepareAD after clearing the corrupted ADSI edit entry ?
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 400 total points
ID: 40519678
Nope. Shouldn't be any outage at all.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 40521010
Thanks !
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40548880
ok, I just realized that my AD user account cannot see those builtin AD security group.
I can now see them using the DOMAIN\Administrator account.

That's very strange :-/ because my DOMAIN\Username is already member of the Schema and the Enterprise Administrator, but somehow it is showing the Security group as corrupted object,
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Synchronize a new Active Directory domain with an existing Office 365 tenant
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now